Pages

Tuesday, February 24, 2015

It is almost time for the CanSecWest security conference, which has played host to Google's Pwnium competition for the last few years. For those that don't know, Pwnium is the hacking competition that gives security researchers a chance to show off some of their latest exploits for the chance to win a share of a huge pile of cash that Google puts up for rewards each year (last year it was e million). This year Google has announced it will be making a few changes to the competition taking it to all new levels of extreme!

Starting today, Pwnium will change its scope significantly, from a single-day competition held once a year at CanSecWest to a year round, worldwide opportunity for security researchers to showcase their findings of the latest bugs and vulnerabilities.

Google says they are making these changes for several reasons. The biggest of course being delays in reporting of new finds. As it stands there is little incentive for researchers to come forward with vulnerabilities, because it literally doesn’t pay to do so. With the new, more lucrative rewards program Google hopes to eliminate those delays. Some other reasons for the changes given are:

Removing barriers to entry: At Pwnium competitions, a security researcher would need to have a bug chain in March, pre-register, have a physical presence at the competition location and hopefully get a good timeslot. Under the new scheme, security researchers can submit their bugs year-round through the Chrome Vulnerability Reward Program (VRP) whenever they find them.

Removing the incentive for bug hoarding: If a security researcher was to discover a Pwnium-quality bug chain today, it’s highly likely that they would wait until the contest to report it to get a cash reward. This is a bad scenario for all parties. It’s bad for us because the bug doesn’t get fixed immediately and our users are left at risk. It’s bad for them as they run the real risk of a bug collision. By allowing security researchers to submit bugs all year-round, collisions are significantly less likely and security researchers aren’t duplicating their efforts on the same bugs.

Our researchers want this: On top of all of these reasons, we asked our handful of participants if they wanted an option to report all year. They did, so we’re delivering.

Starting today, instead of going the traditional route and applying for Pwnium, researchers can now submit bug chains to the Chrome Vulnerability Reward Program for confirmation and possible payout. Here are a list of rules for submission:

Only the first report of a given issue that we were previously unaware of is eligible. In the event of a duplicate submission, the earliest filed bug report in the bug tracker is considered the first report.

Bugs disclosed publicly or to a third-party for purposes other than fixing the bug will typically not qualify for a reward. We encourage responsible disclosure, and believe responsible disclosure is a two-way street; it’s our duty to fix serious bugs within a reasonable time frame.

If you have a fuzzer running on ClusterFuzz as part of our Trusted Researcher program, you will not receive a reward if one of our fuzzers finds the same bug within 48 hours.

Google will be adding Pwnium-style bug chains on Chrome OS to the Chrome VRP. This will increase the top reward to $50,000, which will be on offer all year-round. There’s no limit on the number of bugs you can submit. Last year, the Pwnium gave out awards ranging from $110,000 to $150,000 for various pre-determined exploits. Google says the reason Pwnium rewards were so much larger is because of the constraints on the types of bugs that could be submitted.

For security teams and researchers interested Google invites you to checkout their FAQ for more information. Good luck and happy bug hunting!